From 3a6a1691ceeebdef92c59ac13239b779931d1559 Mon Sep 17 00:00:00 2001 From: Jarek Prokop Date: Mon, 10 Jun 2024 19:23:10 +0200 Subject: [PATCH] Fix ReDoS vulnerability - upstream's incomplete fix for CVE-2023-28755. Fix for CVE-2023-36617. https://github.com/ruby/ruby/commit/616926b55e306a0704254a7ddfd6e9834d06c7f2 Resolves: RHEL-5614 --- ...ms-incomplete-fix-for-CVE-2023-28755.patch | 44 +++++++++++++++++++ ruby.spec | 13 +++++- 2 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 ruby-3.0.7-Fix-CVE-2023-36617-Upstreams-incomplete-fix-for-CVE-2023-28755.patch diff --git a/ruby-3.0.7-Fix-CVE-2023-36617-Upstreams-incomplete-fix-for-CVE-2023-28755.patch b/ruby-3.0.7-Fix-CVE-2023-36617-Upstreams-incomplete-fix-for-CVE-2023-28755.patch new file mode 100644 index 0000000..090d64c --- /dev/null +++ b/ruby-3.0.7-Fix-CVE-2023-36617-Upstreams-incomplete-fix-for-CVE-2023-28755.patch @@ -0,0 +1,44 @@ +From 5d08bbb0415c2ecc10037837b81e6a27d40ee7be Mon Sep 17 00:00:00 2001 +From: Hiroshi SHIBATA +Date: Thu, 29 Jun 2023 22:25:17 +0900 +Subject: [PATCH] CVE-2023-36617 for Ruby 3.0 (#7997) + +* Merge URI-0.10.3 + +--- + +Backport note, bundler is not distributed the same as RubyGems in Ruby +2.5, therefore we do not use backport for Bundler. +--- + lib/uri/rfc2396_parser.rb | 4 ++-- + lib/uri/rfc3986_parser.rb | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/lib/uri/rfc2396_parser.rb b/lib/uri/rfc2396_parser.rb +index b9e7b2b26e..c7c3ecd96d 100644 +--- a/lib/uri/rfc2396_parser.rb ++++ b/lib/uri/rfc2396_parser.rb +@@ -502,8 +502,8 @@ def initialize_regexp(pattern) + ret = {} + + # for URI::split +- ret[:ABS_URI] = Regexp.new('\A\s*' + pattern[:X_ABS_URI] + '\s*\z', Regexp::EXTENDED) +- ret[:REL_URI] = Regexp.new('\A\s*' + pattern[:X_REL_URI] + '\s*\z', Regexp::EXTENDED) ++ ret[:ABS_URI] = Regexp.new('\A\s*+' + pattern[:X_ABS_URI] + '\s*\z', Regexp::EXTENDED) ++ ret[:REL_URI] = Regexp.new('\A\s*+' + pattern[:X_REL_URI] + '\s*\z', Regexp::EXTENDED) + + # for URI::extract + ret[:URI_REF] = Regexp.new(pattern[:URI_REF]) +diff --git a/lib/uri/rfc3986_parser.rb b/lib/uri/rfc3986_parser.rb +index ad32368cfa..1accd03376 100644 +--- a/lib/uri/rfc3986_parser.rb ++++ b/lib/uri/rfc3986_parser.rb +@@ -106,7 +106,7 @@ def default_regexp # :nodoc: + QUERY: /\A(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*\z/, + FRAGMENT: /\A(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*\z/, + OPAQUE: /\A(?:[^\/].*)?\z/, +- PORT: /\A[\x09\x0a\x0c\x0d ]*\d*[\x09\x0a\x0c\x0d ]*\z/, ++ PORT: /\A[\x09\x0a\x0c\x0d ]*+\d*[\x09\x0a\x0c\x0d ]*\z/, + } + end + diff --git a/ruby.spec b/ruby.spec index 126e977..4f1a141 100644 --- a/ruby.spec +++ b/ruby.spec @@ -21,7 +21,7 @@ %endif -%global release 111 +%global release 112 %{!?release_string:%global release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}} @@ -234,6 +234,11 @@ Patch42: ruby-2.7.8-Fix-CVE-2023-28756-ReDoS-vulnerability-in-Time.patch # https://github.com/ruby/ruby/commit/d3933fc753187a055a4904af82f5f3794c88c416 # https://bugs.ruby-lang.org/issues/20106 Patch43: ruby-3.4.0-ruby-net-http-Renew-test-certificates.patch +# CVE-2023-36617 ReDoS vulnerability - upstream's incomplete fix +# for CVE-2023-28755. +# Tests not included as assert_linear_time was introduced in Ruby 2.7. +# https://github.com/ruby/ruby/commit/616926b55e306a0704254a7ddfd6e9834d06c7f2 +Patch44: ruby-3.0.7-Fix-CVE-2023-36617-Upstreams-incomplete-fix-for-CVE-2023-28755.patch Requires: %{name}-libs%{?_isa} = %{version}-%{release} @@ -648,6 +653,7 @@ sed -i 's/"evaluation\/incorrect_words.yaml"\.freeze, //' \ %patch41 -p1 %patch42 -p1 %patch43 -p1 +%patch44 -p1 # Provide an example of usage of the tapset: cp -a %{SOURCE3} . @@ -1200,6 +1206,11 @@ OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file OPENSSL_CONF='' \ %{gem_dir}/specifications/xmlrpc-%{xmlrpc_version}.gemspec %changelog +* Tue May 21 2024 Jarek Prokop - 2.5.9-112 +- Fix ReDoS vulnerability - upstream's incomplete fix for CVE-2023-28755. + (CVE-2023-36617) + Resolves: RHEL-5614 + * Mon Jun 12 2023 Jarek Prokop - 2.5.9-111 - Fix HTTP response splitting in CGI. Resolves: CVE-2021-33621